What kind of fine is warranted for losing patient data? The feds want your input

The Department of Health and Human Services is asking for comments about assessing fines or other remedies for potential violations. The agency noted the rise of cybersecurity threats involving patient data.

The federal government is seeking public comment on measures related to the protection of patient information and financial penalties for the loss of data.

The U.S. Department of Health and Human Services is asking for input on two separate issues regarding patient privacy. Both relate to the Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which was amended last year.

“The growing number of cybersecurity threats are a significant concern driving the need for enhanced safeguards of electronic protected health information,” HHS said in a news release.

First, the health department is asking for public comment on how healthcare organizations are implementing security measures to protect patient privacy.

Under the law, the health department must consider “recognized security practices” when determining penalties, audit results, or any other possible remedies for any violations of the Health Insurance Portability and Accountability Act (HIPPA). The department said the 2021 amendment is designed to ensure that healthcare organizations and their partners are doing everything possible to protect patient information.

In its request for information (dubbed an RFI), the health department is asking the public to offer insight on how organizations are implementing security measures, and how they plan to demonstrate those safeguards are in place.

The health department is also seeking public input on issuing monetary penalties and settlements.

The HITECH Act requires the HHS Office of Civil Rights to determine the amounts of penalties based on the nature of the violation and the amount of harm caused by the violation. But the law doesn’t define “harm” or offer direction to the health department in defining what constitutes harm, according to the agency.

The health department is seeking public comment on what type of harm should be considered in determining financial penalties or settlements for violations. The public is also invited to submit methods for determining fines or settlements and how the money should be disbursed.

Lisa Pino, director of the HHS Office of Civil Rights, said she was looking forward to reviewing comments from those within the healthcare industry and the general public.

“I encourage those who have been historically underserved, marginalized, or subject to discrimination or systemic disadvantage to comment on this RFI, so we hear your voice and fully consider your interests in future rulemaking and guidance,” Pino said in a statement.

Hundreds of healthcare organizations have endured cyberattacks in recent years. More than 100 breaches have already been reported to HHS this year, affecting millions of people.

Many of those attacks involve patient data. Among healthcare information technology officials reporting significant attacks affecting operations, roughly one in five (22%) said the incidents involved a data breach or data leakage, according to the HIMSS 2021 cybersecurity survey. Data breaches are among the top concerns of healthcare cybersecurity professionals, the survey found.

Hospitals and other healthcare organizations face high costs when hit by cyberattacks. Breaches affecting healthcare are the most expensive in any industry, according to a report by IBM. The average healthcare breach rose to $9.4 million in 2021, an increase of $2 million over the previous year.

Those wishing their comments to be considered must submit them by June 6. For information on submitting comments, visit the Federal Register.

More cybersecurity stories from Chief Healthcare Executive

Why smaller hospitals are at risk of cyberattacks

How a rural healthcare system improved its cybersecurity

Cybersecurity measures advance in Washington